Remote code execution in Calendar portlet
Description
Activity
Show:
Samuel KongJuly 3, 2012 at 4:38 AM
The code for this ticket was committed under .
Fixed
Details
Assignee
SE SupportSE SupportReporter
Samuel KongSamuel Kong(Deactivated)Components
Affects versions
Priority
Medium
Details
Details
Assignee
SE SupportReporter
Samuel KongComponents
Affects versions
Priority
MediumZendesk Support
Linked Tickets
Zendesk Support
Linked Tickets
Zendesk Support
Linked Tickets
Created July 3, 2012 at 4:06 AM
Updated June 24, 2023 at 3:52 PM
Resolved July 3, 2012 at 4:07 AM
An attacker with access to JSON services can cause Java code written in the the title or the description of a calendar to execute. If the attacker also has permission to create events in the Calendar portlet, the attacker will be able to execute any Java code on the server.
Workaround
Disable JSON service's access to CalEventServiceUtil by adding "com.liferay.portlet.calendar.service.CalEventServiceUtil" to the "json.service.invalid.class.names" property in portal-ext.properties. For example: